“I think this is a wave that has caught us all a little by surprise,” says reflective Luis Abril, a Spaniard in charge of Indra-Minsait, a technology company that provides innovative solutions in cybersecurity. We are in the middle of Fidae 2024. Yes, the fair that made headlines for the marginalization of Israel, one of Chile’s main suppliers of weapons and military technology. But Abril is oblivious to the controversy and his thing is data, physical and operational cybersecurity. A world that seems far away, but that day after day poses risks and requires prevention.
-Why do you have to be prepared at all times for cyber threats?
-This whole world advances very quickly and cybercriminals learn very quickly and it is also easier to destroy than to create, which is why they have a position first simpler. It is a wave that catches us all a little off guard and that is a little marked by how advanced the regulation is in each case, right? Because Europe has been at the forefront of regulation and has been the first geographical region to launch a fairly detailed regulation on what needs to be done in terms of cybersecurity and how to take advantage of the available technology, which is global. Now, I believe that after Europe, probably the most advanced country in the world, from a normative and regulatory point of view, with the latest law that you have just promulgated – the Framework Law on Cybersecurity – is Chile. I think that this is a fairly advanced law, quite complete, that covers a lot of dimensions that need to be protected and that marks the next steps in terms of how the relevant cybersecurity agencies have to operate, what type of additional regulation will be necessary. It sets a fairly clear path for next steps.
The Unique Key and an example of systems vulnerability
Although it is difficult for Luis Abril to measure things like the Unique Code, he recognizes the advances in the use of technology in Chile, but at the same time he warns of an enormous weakness regarding data protection. “For example, there are no citizens’ mobile phones to be able to use double authentication factor and ensure that when you actually enter a website with that password it is you and not me.”
With that reflection, Abril enters fully into “digital identity” and how it should be managed. “In other words, this has a lot of science behind it, because in the end you can demonstrate digital identity either with an electronic signature or with a fingerprint or with an iris or with very diverse technologies behind it that will have to be leveraged.”
-That is, we are more permanently exposed, right?
-I mean, yes. And as the world becomes more complex and the world becomes digitalized, well, this exhibition exists. And the opportunities to enter a system will always continue to be there. But technology, again, also advances. There are times when the cybercriminal advances faster, because of what we said, that it is easier to destroy than to build, but the technology is quite advanced as well. I have told you a little about digital identity. There is another block beyond digital identity that simply has to do with incident monitoring and detection systems. The SOCs (Security Operations Center), that at Minsait we have four in the world to globally cover our activity in more than 50 countries, and that they are increasingly more sophisticated and incorporate artificial intelligence to, in some way, analyzing behavioral patterns of each other, anticipate those incidents. So, technology in that sense also advances to try to detect the entry methods of cybercriminals.
-There is much discussion about the usefulness and fear of artificial intelligence. Finally, are they tools that could help us?
-Come on, artificial intelligence, in the end, especially generative intelligence, which is the most sophisticated, the latest that has come out, which allows you to generate new things, that is what I am talking about. Artificial intelligence allows you to generate texts, programming code, video, audio. You can also incorporate this artificial intelligence into the world of cybersecurity, because, basically, what it does is analyze enormous amounts of data and, as I say, create or deny false creations. That is, you, with artificial intelligence, can identify a video, an audio or that is fake. You have what are called LLMs (Large Language Models), which analyze enormous amounts of data, and then create and then compare to see what is true, what is false, analyze patterns, etc. So, artificial intelligence is increasingly incorporated more clearly into all these services that companies like ours provide to try to detect incidents and prevent them.
-Beyond the misgivings that AI may cause, the truth is that in analyzing large amounts of data it seems advantageous and much more effective.
-What you say is true, I think artificial intelligence is a little scary, depending on how you approach it. I believe that here, again, the key role is that of regulation. But uncontrolled artificial intelligence, both in the world of cybersecurity and beyond it, can be dangerous, but it is already being regulated as well. I believe that there are clear regulations that ensure that artificial intelligence has to be ethical, it has to be transparent, it has to be explainable. I believe that you cannot put doors on the field either and, therefore, you cannot ensure that… I believe that regulating in the direction that almost everything that artificial intelligence does has to be supervised by oneself. The human thing doesn’t make much sense later, which is why I say that you can’t put doors on the field. But a certain regulation of how far artificial intelligence can go and how what is done with artificial intelligence is minimally controlled and, obviously, how we establish rules for ourselves in the end to work correctly.
Digital sovereignty
-Regarding the conflict between Ukraine and Russia, much of it is fought in cyberspace. What about modern conflicts?
-I think it has to do with some of the things we have talked about. That is, in these war conflicts from cyberspace, attacks on critical infrastructure can play a role, because they leave a city without power. A hacker powerful leaves you without power in a city, attacking the two fundamental critical infrastructures of the city. So, I think this is a dimension that must be taken into account. But there are also some issues of protection at the country level, of how to manage data sovereignty, which in Europe is also beginning to have regulation on this issue. Regarding sensitive data, first identify it, what are the sensitive data that as a country you want to have and cannot allow it to leave the country. And so you regulate down to where they are physically; in which server; in which cloud they have to be within the country; with what encryption keys; or with what type of encryption; which technology provider gives you the encryption keys; it has to be national; it can be international; from a friendly country; where it can’t be from. I believe that all these issues of digital sovereignty are another field of reflection associated with the cybersecurity world, in this entire geopolitical balance between countries, which we have to take into account.